As a seasoned cybersecurity analyst with over two decades of experience under my belt, I can confidently say that the emergence of Styx Stealer is yet another stark reminder of the ever-evolving threat landscape we find ourselves in today. The fact that this malware exploits a known vulnerability in Windows Defender’s SmartScreen feature, a tool designed to protect users from potential harm, is particularly concerning.
Styx Stealer, a new malware, stealthily swipes cryptocurrency from Windows-based computers.
Initially spotted by cybersecurity company Check Point Research back in April, Styx was found to be an enhanced version of the Phemodrone Stealer malware. This malicious software took advantage of a vulnerability in Windows that has since been fixed, allowing it to intercept cryptocurrency transactions and pilfer sensitive information from infected systems. The type of data stolen included private keys, browser cookies, auto-fill data for browsers, and more.
In the year 2024, Phemodrone initially gained attention around the beginning of the year. Different from Styx Stealer, it primarily targeted web browsers to empty cryptocurrency wallets while also gathering additional data.
In simpler terms, both types of malicious software (malware) are making use of a similar weakness found in the built-in antivirus for Windows called Windows Defender. This flaw stems from an older vulnerability present within the SmartScreen feature, which is supposed to alert users about potentially risky websites and downloads. However, these malware have learned to exploit this weakness instead.
On the other hand, Styx introduces fresh dangers due to its crypto-clipping functionality. Essentially, this malicious software tracks alterations in the clipboard and swaps any copied cryptocurrency wallet addresses with ones controlled by the attacker.
Previously, the Phorpiex botnet was known to use this technique to hijack crypto transactions.
As a researcher, I’ve discovered that Check Point Research’s findings indicate that the tool, Styx, is capable of identifying wallet addresses across nine different blockchains. These include Bitcoin (BTC), Ethereum (ETH), Monero (XMR), Ripple (XRP), Litecoin (LTC), Bitcoin Cash (BCH), Stellar (XLM), Dash (DASH) and Neo (NEO).
As a researcher, I’ve identified that certain types of data, particularly those derived from browser extensions, Telegram, and Discord, are notably susceptible in Chromium- and Gecko-based web browsers.
The creator of the malicious software includes an automatic startup function and a user-friendly graphic design, allowing cybercriminals to effortlessly tailor and distribute it with ease.
Styx has means in place to conceal its activities, including methods that obscure its functions. It’s designed to avoid detection by ending processes linked with debugging software and identifying virtual machine settings. If a virtual machine environment is spotted, the Styx Thief automatically destroys itself.
Available via Telegram
1. The spread and commerce of this malware is handled personally via the Telegram account @styxencode and the website styxcrypter.com. Additionally, the Center for Internet Security (CIS) has found promotional materials such as ads and YouTube videos endorsing the harmful software.
Over 54 people have made payments totaling around $9,500 to the Styx developer, using different types of cryptocurrencies such as Bitcoin and Litecoin. Unlike its subsequent version, this malware is not free; instead, it is offered with a monthly subscription for $75, a three-month plan for $230, or lifetime access at $350.
The amount of crypto funds stolen or the scale of the systems infected using Styx remains unclear.
It’s been discovered that a type of malicious software, designed to steal cryptocurrency, has infiltrated Apple’s MacOS operating system, according to Kaspersky Lab’s report earlier this year. This malware specifically targeted Bitcoin and Exodus digital wallets by disguising itself as the original software but with subtle alterations.
As the cryptocurrency market grows, so does the temptation and profitability of hacks and thefts, leading to significant financial losses annually. Remarkably, certain notorious cybercriminals are choosing to retire from this line of work.
Last month, Angel Drainer, a drainer-as-a-service malware responsible for over $25 million in thefts, shut down operations. In November, multi-chain crypto scam service Inferno Drainer halted services.
Read More
Sorry. No data so far.
2024-08-18 15:32